Independently confirming this - relax everyone! (As in, you can relax for Fineract. Don't relax for anything else you are responsible for - do check any other code you have, this security vulnerability is as bad they can get; the Internet is rightfully on fire about this.)
https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot (which I found while working on https://github.com/vorburger/MariaDB4j/issues/509) has some related background; TL;DR: *"The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable."* Or, more technically: $ ./gradlew fineract-provider:dependencies | grep log4j | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 $ ./gradlew fineract-provider:dependencies | grep log4j-core (nothing) Hope this helps everyone to sleep well... ;-) On Sat, Dec 11, 2021 at 10:28 AM AirsayLongCon <[email protected]> wrote: > Hello Aleks > Thank you for the clarification > > On Sat, Dec 11, 2021, 10:17 AM Aleksandar Vidakovic < > [email protected]> wrote: > >> Hi, >> >> ... we are using SLF4J to abstract all the different logging frameworks >> (Commons Logging, Log4J etc.). Under the hood logging in Fineract is done >> by Logback and not Log4j. The only Log4j dependencies we have are those >> that "redirect" the logging to Logback. >> >> Here's also a vulnerability report for that specific dependency >> ("org.apache.logging.log4j:log4j-to-slf4j"): >> >> https://snyk.io/vuln/maven:org.apache.logging.log4j:log4j-to-slf4j >> >> FYI >> >> Cheers, >> >> Aleks >> >> On Sat, Dec 11, 2021 at 2:10 AM AirsayLongCon <[email protected]> >> wrote: >> >>> Hello community, >>> Are we are of the RCE reportedly affecting log4j >>> >>> If your organization uses the log4j library, you should upgrade >>> to log4j-2.1.50.rc2 immediately. >>> >>> >>> https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java >>> >>
